Decentralized science platform Pump Science recently issued a warning to its users about fraudulent tokens being deployed through its Pump.fun account. The warning came after the platform’s private key was leaked on GitHub, allowing attackers to create fake tokens such as Urolithin B through E (URO) and Cocaine (COKE) using Pump Science’s compromised profile.
Pump Science is known for its focus on creating tokens related to longevity medicine research. The project aims to gamify longevity research by connecting token holders with intellectual property rights for chemical compounds. This unique approach allows token holders to sell “intervention” rights to suppliers, bridging the gap between research and commerce.
Following the security breach, the prices of two tokens launched by Pump Science, Rifampicin (RIF) and Urolithin A (URO), dropped by over 25%. Rifampin is an antibiotic used to treat tuberculosis, while Urolithin A is being studied for its potential to enhance mitochondrial function and muscle health. Pump Science has advised its users to avoid interacting with any new tokens originating from the compromised profile to prevent further exploitation by the attacker.
The leak of the private keys was attributed to an oversight by BuilderZ, a Solana-based software development firm working on the project. The private key for the developer wallet was mistakenly left in the GitHub codebase, leading to the unauthorized creation of fraudulent tokens. Pump Science has since renamed its Pump.fun profile to “dont_trust” and is working with blockchain security firm Blockaid to flag any fraudulent mints from the compromised address.
To enhance security measures, Pump Science plans to conduct a complete audit of its front-end system and implement bug bounty programs for penetration testing. Future token launches will undergo thorough app and smart contract audits, and the platform has decided to discontinue launching tokens on Pump.fun to prevent similar incidents in the future.
Despite the efforts to address the security breach, the community has expressed concerns over the project’s handling of the situation, with some users questioning its operational competence. Private key leaks remain a significant threat in the decentralized space, as evidenced by the significant financial losses reported in the third quarter of 2024 due to such incidents. It is crucial for projects like Pump Science to prioritize security measures to protect their users and prevent unauthorized access to their systems.